From: Daniel Stenberg <daniel@haxx.se>
Date: Sun, 29 Jun 2025 14:17:49 +0000 (+0200)
Subject: VULN-DISCLOSURE-POLICY: all reports should be disclosed
X-Git-Tag: curl-8_15_0~133
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ff15eef2d6f27d495fec9a68cf39aace58f8d5b8;p=thirdparty%2Fcurl.git

VULN-DISCLOSURE-POLICY: all reports should be disclosed

As a matter of policy.

Closes #17778
---

diff --git a/docs/VULN-DISCLOSURE-POLICY.md b/docs/VULN-DISCLOSURE-POLICY.md
index ed2827bf2d..8ec4d9b89f 100644
--- a/docs/VULN-DISCLOSURE-POLICY.md
+++ b/docs/VULN-DISCLOSURE-POLICY.md
@@ -134,13 +134,16 @@ somewhat over time and a list somewhere only risks getting outdated.
 6. On security advisory release day, push the changes on the curl-www
    repository's remote master branch.
 
-## HackerOne
+## Disclose the report
 
 Request the issue to be disclosed. If there are sensitive details present in
 the report and discussion, those should be redacted from the disclosure. The
 default policy is to disclose as much as possible as soon as the vulnerability
 has been published.
 
+*All* reports submitted to the project, valid or not, should be disclosed and
+made public.
+
 ## Bug Bounty
 
 See [BUG-BOUNTY](https://curl.se/docs/bugbounty.html) for details on the